“Our potential customers are asking more and more for compliance reporting, especially within NIS2. So, we need to show that we have this in place before customers even want to discuss price and technical solutions.”
Max Larsen
CTO at Cloud Factory
This premise has become usual in sales meetings for Max Larsen. He’s CTO at Cloud Factory and has day-to-day responsibility for the company’s Partner Care department and the team that delivers Infrastructure as a Service.
In addition to being a distributor of Microsoft licenses, Cloud Factory makes server capacity available to their partners. These servers are being used for hosting end-customers’ data. There’s a clear split between Cloud Factory and the partners’ servers, as Cloud Factory does not have access to them.
However, this does not change the fact that IT security and compliance are high on the agenda at Cloud Factory:
“We don’t have access to servers that our partners buy and build, but where compliance becomes essential for us is when our partners and their end-customers ask how we comply with their specific compliance and IT security requirements.“
Max Larsen
This is why Cloud Factory’s partners’ end customers have high demands when it comes to IT-security:
“If our partners’ customers are affected by NIS2, they pass on the requirements to us. Being able to document and demonstrate our compliance and IT-security is therefore essential for the business.”
Max Larsen
When the NIS2 requirements came
Cloud Factory has seen explosive growth in just a few years. The 2023 financial statements show a turnover of around DKK 180 million, which represents a growth of 100 million since 2021.
With that growth came higher compliance requirements and other regulatory obligations as Cloud Factory began handling a larger and larger number of partners and customers:
“When we have so many partners talking to even more end-customers, the compliance requirements naturally affect us too.”
Max Larsen
In addition to partners’ end-customers, Cloud Factory’s potential partners have started to make demands on the company’s IT-security – and therefore ask for documentation of Cloud Factory’s NIS2 compliance.
Based on GDPR experience, Cloud Factory knew that a well-structured and continuous approach to managing compliance activities was needed.
When NIS2 ‘began to simmer’, Cloud Factory had to act quickly for two reasons:
- As a digital infrastructure provider, they are affected by the NIS2 Directive
- They would ensure future growth by demonstrating NIS2 compliance to partners and their end customers.
However, the GDPR experience wasn’t the only reason why Max Larsen recognized the need at Cloud Factory:
“We’ve been on top of NIS2 for a long time, as we’ve had an ISAE 3402 for all the years we’ve been doing Infrastructure as a Service in Cloud Factory. However, we’ve done everything in Excel sheets combined with project management tools before, which made it difficult to keep an overview. So, we needed a system that could help provide an overview and structure.”
Max Larsen
Max Larsen was aware that it would be difficult to build such a system internally to raise Cloud Factory’s compliance level further. The NIS2 Directive does not lay out a structure in advance, nor is it obvious what needs to be audited:
“If you have to build it yourself, it becomes very complex, and you need to have so much knowledge about everything in IT-security and NIS2 in order not to miss the essentials.“
Max Larsen
Had good experience with ComplyCloud
As Cloud Factory was already using ComplyCloud’s GDPR solution, Max Larsen and the rest of the compliance group knew that compliance tasks in the platform are given in advance.
At the same time, the solution offers structure and overview, as you get automatic reminders and tasks that need to be followed up on or acted upon.
This is precisely why Cloud Factory chose to use ComplyCloud to ensure the company’s NIS2 compliance.
“You get a roadmap, some checkboxes and tasks to solve. This gives us a huge sense of security that we are tackling compliance correctly. So, we chose ComplyCloud, first and foremost because it’s a good IT-system, but also because we got legal advice. That has been extremely important to us.“
Max Larsen
Cloud Factory is even stronger in their work with NIS2 thanks to the ComplyCloud solution, which is the fundamental tool for the company’s compliance steering group.
Ensuring a systematic approach – and peace of mind
The clear timeline and guidance on best practice from ComplyCloud has ensured a systematic approach and a sense of peace of mind. And these are two important components in working with NIS2, as it’s a challenge for many companies to understand the requirements of the NIS2 Directive and then ‘translate’ them into their own reality.
It has been a big plus for Cloud Factory that they didn’t have to start from scratch: With ComplyCloud’s NIS2 solution, a framework was defined in advance for what standards and plan to follow to become NIS2-compliant:
“Getting started with ComplyCloud was easy as their defined framework sets the path to NIS2 compliance.”
Max Larsen
Today, Max Larsen and his team also use ComplyCloud’s risk and vendor management modules. As risk and vendor management is a key part of NIS2, it has given Cloud Factory a complete overview of their supply chain – and, not least, confidence that they’re in control of their sub-suppliers.
Max Larsen and the rest of the steering group are still preparing for NIS2, guided by ComplyCloud’s award-winning software and legal advice.
Want to learn more about how we can also help your organization become NIS2 compliant before the NIS2 Directive is implemented by law in October 2024? Let’s set you up with one of our experts.